Questions tagged [tcpdump]

tcpdump is a CLI tool for capturing and displaying packets sent and received by network devices.

453 questions
163
votes
6 answers

How can I read pcap files in a friendly format?

a simple cat on the pcap file looks terrible: $cat tcp_dump.pcap ?ò????YVJ? JJ ?@@.?E
Tony
  • 4,053
  • 10
  • 34
  • 29
83
votes
3 answers

Human readable format for http headers with tcpdump

I would like to view the HTTP headers sent from Apache (listening on port 80) to Tomcat (on port 4080) in a Linux machine. According to Wikipedia, Header fields are colon-separated name-value pairs in clear-text string format. I've tried some…
Adam Matan
  • 12,504
  • 19
  • 54
  • 73
65
votes
6 answers

How to capture ack or syn packets by Tcpdump?

I want to use a filter rule to capture only ack or syn packets. How do I do this?
larry
  • 3,927
  • 9
  • 35
  • 41
53
votes
5 answers

how to split a pcap file into a set of smaller ones

I have a huge pcap file (generated by tcpdump). When I try to open it in wireshark, the program just gets unresponsive. Is there a way to split a file in set of smaller ones to open them one by one? The traffic captured in a file is generated by two…
facha
  • 1,298
  • 2
  • 16
  • 26
42
votes
7 answers

Monitoring HTTP traffic using tcpdump

To monitor HTTP traffic between a server and a web server, I'm currently using tcpdump. This works fine, but I'd like to get rid of some superfluous data in the output (I know about tcpflow and wireshark, but they're not readily available in my…
otto.poellath
  • 545
  • 1
  • 5
  • 9
37
votes
3 answers

Tcpdump on multiple interfaces

I need to capture traffic on a CentOS 5 server which acts as a web proxy with 2 wan interfaces and 1 LAN. In order to troubleshoot a weird proxy problem, I would like to have a capture of a full conversation. Since external connections are balanced…
Nahidul islam
  • 371
  • 1
  • 3
  • 3
34
votes
1 answer

Will tcpdump see packets that are being dropped by iptables?

I have a firewall with these simple rules: iptables -A INPUT -p tcp -s 127.0.0.1/32 --dport 6000 -j ACCEPT iptables -A INPUT -p tcp -s 192.168.16.20/32 --dport 6000 -j ACCEPT iptables -A INPUT -p tcp --dport 6000 -j REJECT Now, suppose I am using…
Pablo Santa Cruz
  • 1,084
  • 4
  • 18
  • 24
33
votes
6 answers

How do I make tcpdump not print the tcp headers?

I tried this: tcpdump -s 1500 -A -l -i eth0 '(port 6667) and (length > 74)' I need only the ascii part of it. How do I remove the rest?
coder
  • 343
  • 1
  • 3
  • 5
31
votes
1 answer

Too many incorrect checksum errors in TCPDUMP

I find too many incorrect checksum errors from a TCPDUMP done on a GNU Linux 64bit server. There are close to 50% incorrect chekcsums in the export? cksum 0xe61f (incorrect (-> 0x8c37) How can we interpret this data? Does it affect performance a…
Vishal
  • 415
  • 1
  • 4
  • 6
29
votes
1 answer

tcpdump filter on network and subnet mask

I'm using the following tcpdump command: tcpdump -w net75.out -s 0 host 65.207.95.222 I want to change the filter on the single host to be all addresses in the following subnet: 65.192.0.0/10 I have not been able to figure out how to specify a…
harrije
  • 293
  • 1
  • 3
  • 4
28
votes
9 answers

How to display interface in tcpdump output flow?

This seems to be quite a trivial problem, but after some searching I can't stil figure out the answer. One can run tcpdump using "any" as the interface description, ie: # tcpdump -i any -n host 192.168.0.1 Is there any way to force tcpdump to show…
mdrozdziel
  • 734
  • 3
  • 8
  • 17
22
votes
7 answers

tcpdump: out.pcap: Permission denied

[root@localhost ~]# cat /etc/issue Fedora release 17 (Beefy Miracle) Kernel \r on an \m (\l) [root@localhost ~]# uname -a Linux localhost.localdomain 3.6.10-2.fc17.i686 #1 SMP Tue Dec 11 18:33:15 UTC 2012 i686 i686 i386 GNU/Linux [root@localhost ~]#…
chobo
  • 323
  • 1
  • 2
  • 4
21
votes
4 answers

Monitor number of bytes transferred to/from IP address on port

Can anyone recommend a linux command line tool to monitor the number of bytes transferred between the local server and a specified IP address/port. The equivalent tcpdump command would be: tcpdump -s 0 -i any -w mycapture.trc port 80 host…
Mike
  • 825
  • 2
  • 8
  • 10
15
votes
2 answers

TCPDUMP - Capturing Packets on Multiple IP Address (FIlter)

What I need to do (via 'tcpdump' through Linux): • ECommerce App Servers: 192.168.1.2, 192.168.1.3, 192.168.1.4. - This is what I want to capture on (filtered on these exact IPs). Not an IP range (subnet) or an individual IP address, just several…
Derek
  • 183
  • 1
  • 2
  • 5
14
votes
2 answers

CoreOS: tcpdump mysteriously solves network issue (excessive number of sockets used)

I've got a mystery for you today. We run a small, three node Elasticsearch cluster based on CoreOS (2023.5.0 / Linux 4.19.25-coreos) on Azure. Elasticsearch is run inside a docker container in host network mode. After running almost completely…
1
2 3
30 31